Microsoft abandons Flash whitelist

There’s a concept in web design that is more important than responsive design, more important than mobile-first, more important than separating style and content; the most important concept in web design is backwards compatibility.

Most backwards compatibility is achieved by web designers with careful application of graceful degradation — the process by which advanced features are able to fail silently, without compromising content.

When we’re building sites, we can ensure that we provide support for even obsolete browsers. In fact, if you’re using HTML, CSS and JavaScript correctly, there’s no reason that sites shouldn’t be equally accessible in everything from the latest nightly-build of Firefox to an ancient text browser like Lynx.

That’s not the end of the story though, because new sites make up a tiny fraction of the internet. Browser manufacturers have to cater for all the sites out there. Not only do they have to support developing standards, but they need to support as many existing sites as possible — even when those sites are still using <blink> (for which there has never been any excuse). It’s no real surprise that browser manufacturers want to reduce the number of technologies they support.

Adobe’s once-flagship product Flash has been slammed in recent years, particularly by Apple, and whilst it was always unlikely that it would shuffle off this mortal coil altogether, most commentators expected .swf files to be very much a niche technology from the iPhone onwards.

Following Flash’s downward spiral, Microsoft — whose relationship with Flash had always tumultuous to say the least — enacted a policy that required sites to be whitelisted in order to run on Windows 8 and RT. Whilst they claimed the policy was to restrict sites that weren’t touch-ready, many suspected the policy was related to security holes that have plagued the Flash plugin for years.

However, in a surprising move, this week Microsoft have flipped this policy on its head, producing instead, a new blacklist. Flash will now run by default on IE10 unless the domain hosting the file has been found by Microsoft to be incompatible with their touch devices.

Internet Explorer 10 uses the CV list to block specific sites from running the Flash Player functionality supported in Internet Explorer in the Windows UI…Microsoft manages and distributes the CV list and determines which sites go on the list. Decisions are based on security and reliability concerns. — Microsoft statement

In other words, domains are free to run Flash on Internet Explorer by default, unless Microsoft specifies otherwise.

Why this change? Surely Microsoft don’t anticipate a resurgence in Flash websites? There are three likely reasons for the shift:

The first, and most understandable is that by creating a whitelist Microsoft caused themselves a substantial amount of admin work that enabling domains by default circumvents.

The second, may be that the security threat posed by Flash to Windows systems has either diminished as a result of other changes in Windows’ source code; or that the threat was over-estimated in the first place.

The third and most likely reason is gaming. Gamers traditionally opt for Windows over MacOS, largely because of the lack of premium gaming titles on Apple’s system. Apple has made huge in-roads with the number of games available in its app store. However, the gamer-rich legacy of Windows coupled with Adobe’s desperate attempts to reposition Flash as a gaming solution point at an unlikely path to survival for the plugin.

Fortunately public tolerance for Flash websites —complete with ‘skip intro’ links, loading bars and thumping techno — remains low. But it seems that Microsoft is betting that the technology has a future of some kind.

Are you affected by Microsoft’s switch from white, to blacklist? Do you think Microsoft were wrong to embed the Flash plugin in IE10? Let us know in the comments.

You do not seriously design for Lynx. That is no way to live. In practice you can dump anything before IE 7.

Benjie

In practice you can probably dump IE7 and possibly IE8 depending on your target demographic.

The point was that if your markup is correct and semantic, your CSS is separated and scripts are used for progressive enhancement, not mission-critical tasks, then your site will work perfectly in Lynx.